<%@ language = vbscript codepage = 936%> <% 'option explicit 'response.buffer = true '防sql注入代码 dim fy_url,fy_a,fy_x,fy_cs(),fy_cl,fy_ts,fy_zx fy_cl = 3 '处理方式：1=提示信息,2=转向页面,3=先提示再转向 fy_zx = "inc/error.htm" '出错时转向的页面 on error resume next fy_url=request.servervariables("query_string") fy_a=split(fy_url,"&") redim fy_cs(ubound(fy_a)) on error resume next for fy_x=0 to ubound(fy_a) fy_cs(fy_x) = left(fy_a(fy_x),instr(fy_a(fy_x),"=")-1) next for fy_x=0 to ubound(fy_cs) if fy_cs(fy_x)<>"" then if instr(lcase(request(fy_cs(fy_x))),"'")<>0 or instr(lcase(request(fy_cs(fy_x))),";")<>0 or instr(lcase(request(fy_cs(fy_x))),":")<>0 or instr(lcase(request(fy_cs(fy_x))),"=")<>0 or instr(lcase(request(fy_cs(fy_x))),"(")<>0 or instr(lcase(request(fy_cs(fy_x))),")")<>0 or instr(lcase(request(fy_cs(fy_x))),"<")<>0 or instr(lcase(request(fy_cs(fy_x))),">")<>0 or instr(lcase(request(fy_cs(fy_x))),"char(")<>0 or instr(lcase(request(fy_cs(fy_x))),"and")<>0 or instr(lcase(request(fy_cs(fy_x))),"or")<>0 or instr(lcase(request(fy_cs(fy_x))),"select")<>0 or instr(lcase(request(fy_cs(fy_x))),"insert%20")<>0 or instr(lcase(request(fy_cs(fy_x))),"update%20")<>0 or instr(lcase(request(fy_cs(fy_x))),"delete%20from")<>0 or instr(lcase(request(fy_cs(fy_x))),"mid(")<>0 or instr(lcase(request(fy_cs(fy_x))),"count(")<>0 or instr(lcase(request(fy_cs(fy_x))),"asc(")<>0 or instr(lcase(request(fy_cs(fy_x))),"drop%20table")<>0 or instr(lcase(request(fy_cs(fy_x))),"net%20user")<>0 or instr(lcase(request(fy_cs(fy_x))),"truncate%20")<>0 or instr(lcase(request(fy_cs(fy_x))),"xp_cmdshell")<>0 or instr(lcase(request(fy_cs(fy_x))),"net%20localgroup%20administrators")<>0 or instr(lcase(request(fy_cs(fy_x))),"master.")<>0 then select case fy_cl case "1" response.write "" case "2" response.write "" case "3" response.write "" end select response.end end if end if next '数据库连接代码 const issqldatabase = 0 '定义数据库类别，1为sql数据库，0为access数据库 dim conn,connstr set conn = server.createobject("adodb.connection") if issqldatabase = 1 then 'sql数据库连接参数：数据库名、用户密码、用户名、连接名（本地用local，外地用ip） dim sqldatabasename,sqlpassword,sqlusername,sqllocalname sqldatabasename = "sql数据库名" sqlpassword = "数据库密码" sqlusername = "数据库用户名" sqllocalname = "(local)" connstr = "provider = sqloledb; user id = " & sqlusername & "; password = " & sqlpassword & "; initial catalog = " & sqldatabasename & "; data source = " & sqllocalname & ";" else dim db db = "database/data#data.asp" connstr = "provider = microsoft.jet.oledb.4.0;data source = " & server.mappath(db) end if on error resume next conn.open connstr if err then err.clear set conn = nothing response.write "sorry！数据库连接出错，网站可能正在维护中，请稍后访问。" response.end end if %> <% function gottopic(str,strlen) if str="" then gottopic="" exit function end if dim l,t,c, i l=len(str) t=0 for i=1 to l c=abs(asc(mid(str,i,1))) if c>255 then t=t+2 else t=t+1 end if if t>=strlen then gottopic=left(str,i) & " " exit for else gottopic=str end if next gottopic=gottopic end function %>